An anonymous reader writes: At its Microsoft Connect(); 2018 virtual event today, Microsoft announced the initial public preview of Visual Studio 2019 -- you can download it now for Windows and Mac. Separately, .NET Core 2.2 has hit general availability and .NET Core 3.0 Preview 1 is also available today.

At the event today, Microsoft also made some open-source announcements, as is now common at the company's developer shindigs. Microsoft open-sourced three popular Windows UX frameworks on GitHub: Windows Presentation Foundation (WPF), Windows Forms, and Windows UI XAML Library (WinUI). Additionally, Microsoft announced the expansion of the .NET Foundation's membership model.

An anonymous reader writes: Saturday the Perl Advent Calendar entered its 19th year by describing how the Wise Old Elf used a Calendar::List module from CPAN to update his Elven Perl Monger website with all the dates for 2019. ("It is a well known fact that all of Santa's Elves are enthusiastic Perl Developers in their free time, contributing regularly to many of the amazing Perl projects we've come to know and love...")

But meanwhile, the Perl 6 Advent Calendar was describing how Santa gets data into the North Pole's CRM by defining a grammar unit which can be parsed using a built-in method (to trim out children's signatures) -- only to be chastised by his IT elf for failing to document his solution using Perl 6's built in markup language.

And 24Ways.org is also presenting its 14th annual "advent calendar for web geeks," a nicely-formatted offering that promises "a daily dose of web design and development goodness to bring you all a little Christmas cheer."

Meanwhile, the Go language site Gopher Academy launched their 6th annual advent calendar, describing how to split data with content-defined chunking.

Jose Valim, creator of the Elixir programming language, has also announced the fourth annual "Advent of Code," an event created by Eric Wastl that features an ongoing story that presents "a series of small programming puzzles for a variety of skill sets and skill levels in any programming language you like." (The folks behind the Nim programming language are even organizing their own leaderboard at Nim-lang.org.)

And even QEMU, a free and open-source emulator performing hardware virtualization, is getting into the act with a QEMU advent calendar offering "an amazing QEMU disk image" each day through December 24th.
Feel free to leave a comment with your own reactions -- or with the URL for your own favorite online geek advent calendars...

Amazon Web Services CEO Andy Jassy said in an interview on Wednesday that almost all of Amazon's databases that ran on Oracle will be on an Amazon database instead. "We're virtually done moving away from Oracle on the database side," Jassy said. "And I think by the end of 2019 or mid-2019 we'll be done." CNBC reports: Amazon is reducing its reliance on Oracle for its data needs and is instead using its own services. Jassy said 88 percent of Amazon databases that were running on Oracle will be on Amazon DynamoDB or Amazon Aurora by January. He added that 97 percent of "mission critical databases" will run on DynamoDB or Aurora by the end of the year. On Nov. 1, Amazon moved its data warehouse from Oracle to its own service, Redshift, Jassy said.

YouTube is removing the paywall for its original programming. Starting next year, the company will move to make all of its new original programming available for free for anyone to watch. "With the change, YouTube is moving toward more mainstream celebrity-driven and creator-based reality fare, while it will continue to greenlight scripted productions," reports Variety. From the report: Until now, YouTube Originals have mainly been available on its YouTube Premium subscription service, although YouTube also has expanded the shows and movies it makes available on an ad-supported basis. The company calls the new YouTube Originals strategy its "Single Slate," which will combine ad-supported and subscription VOD programming initiatives that by 2020 will provide free windows for all YouTube users. Some original productions will remain behind the paywall, including season 2 of "Cobra Kai," an offshoot of the "Karate Kid" movies. Moving forward, YouTube Premium will include early access to original, exclusive content as a reason to pay for the service. YouTube has faced stiff competition in trying to lure paying customers with original content against the likes of Netflix, Hulu and Amazon, which spend far more on content. "As we look to 2019, we will continue to invest in scripted programming and shift to make our YouTube Originals ad supported to meet the growing demand of a more global fanbase," a YouTube rep said in a statement. "This next phase of our originals strategy will expand the audience of our YouTube Original creators, and provide advertisers with incredible content that reaches the YouTube generation."

Slashdot reader theodp shares some thoughts from Virginia-based cloud architect Forrest Brazeal, who believes that switching jobs or teams makes you -- at least temporarily -- a worse programmer: "When you do take a new job," Brazeal writes, "everybody else will know things you don't know. You'll expend an enormous amount of time and mental energy just trying to keep up. This is usually called 'the learning curve'. The unstated assumption is that you must add new knowledge on top of the existing base of knowledge you brought from your previous job in order to succeed in the new environment.

"But that's not really what's happening. After all, some of your new coworkers have never worked at any other company. You have way more experience than they do. Why are they more effective than you right now? Because, for the moment, your old experience doesn't matter. You don't just need to add knowledge; you need to replace a wide body of experiences that became irrelevant when you turned in your notice at the old job. To put it another way: if you visualize your entire career arc as one giant learning curve, the places where you change jobs are marked by switchbacks."

He concludes, "I'm not saying you shouldn't switch jobs. Just remember that you can't expect to be the same person in the new cubicle. Your value is only partly based on your own knowledge and ingenuity. It's also wrapped up in the connections you've made inside your team: your ability to help others, their shared understanding of your strengths and weaknesses, and who knows what else. You will have to figure out new paths of communication in the new organization, build new backlogs of code references pertaining to your new projects, and find new mentors who can help you continue to grow. You will have to become a different programmer.

"There is no guarantee you will be a better one."
This seems counter-intuitive to me -- but what do Slashdot's readers think? Does switching jobs make you a worse programmer?

This week a Paris-born designer/developer (now living in Osaka) announced the results of the third annual "State of JavaScript" survey of over 20,000 JavaScript developers in 153 countries "to figure out what they're using, what they're happy with, and what they want to learn."

An anonymous reader writes: Among its findings? The number of people who have used Microsoft's TypeScript and said they would use it again has increased from 20.08% in 2016 to 46.7% in 2018, "and in some countries that ratio even went over 50%." More than 7,000 respondents indicated they liked its "robust, less error-prone code" and another 5,500 cited "elegant programming style and patterns." A blog post announcing the results declares TypeScript "the clear leader" among other syntaxes and languages that can compile to JavaScript.

Meanwhile, when it comes to frameworks, "only React has both a high satisfaction ratio and a large user base, although Vue is definitely getting there." Elsewhere the report notes Vue has already overtaken React for certain metrics such as total GitHub stars. "Angular on the other hand does boast a large user base, but its users don't seem too happy," the announcement adds, although later the report argues that Angular's poor satisfaction ratio "is probably in part due to the confusion between Angular and the older, deprecated AngularJS (previous surveys avoided this issue by featuring both as separate items)."
94% of the survey's respondents were male, and "Years of experience" for the respondents seemed to cluster in three cohorts in the demographics breakdown: 27.8% of respondents reported they had 2-5 years of experience, while 28% reported 5-10 years, and 24% reported 10-20 years.

There's a beautiful interactive graphic visualizing "connections between technologies," where a circle's outer red band is segmented based on the popularity of JavaScript libraries, while hovering over each band reveals the popularity of other libraries with its users. But while this year's results were presented on a "dark mode" web page, the survey's announcement concedes that this year's trends didn't include many surprises.

"TL;DR: things didn't change that much this year."

Long-time Microsoft programmer Raymond Chen recently shared a memory about an unusual single-line instruction that was once added into the Windows kernel code -- accompanied by an "incredulous" comment from the Microsoft programmer who added it:

;
; Invalidate the processor cache so that any stray gamma
; rays (I'm serious) that may have flipped cache bits
; while in S1 will be ignored.
;
; Honestly. The processor manufacturer asked for this.
; I'm serious.
invd

"Less than three weeks later, the INVD instruction was commented out," writes Chen. "But the comment block remains.

"In case we decide to resume trying to deal with gamma rays corrupting the the processor cache, I guess."

PHP 7.3 RC6 was released earlier this week. Phoronix ran some benchmarks and compared the performance of v7.3 RC6 with releases going back to the v5.5 series. From the story: I ran some fresh benchmarks over the past day on PHP 5.5.38, PHP 5.6.38, PHP 7.0.32, PHP 7.1.24, PHP 7.2.12, and the PHP 7.3.0-RC6 test release. All of the PHP5/PHP7 builds were configured and built in the same manner. All tests happened from the same Dell PowerEdge R7425 dual EPYC server running Ubuntu 18.10 Linux.

Besides continuing to evolve the performance of PHP7, the PHP 7.3 release is also delivering on FFI (the Foreign Function Interface) to access functions / variables / data structures from the C language, a platform-independent manner for obtaining information on network interfaces, an is_countable() call, WebP support within GD's image create from string, updated SQLite support, improved PHP garbage collection performance, and many other enhancements. PHP 7.3 is just shy of 10% faster than PHP 7.2 in the popular PHPBench. PHP 7.3 is 31% faster than PHP 7.0 or nearly 3x the speed of PHP5.

A recent TechCrunch article claimed to have identified the best indicator of programming language popularity: GitHub's annual "State of the Octoverse" reports. So Austin-based technology reporter Mike Melanson explored the new verdict in GitHub's 2018 report: It felt to me like the overarching theme of the numbers was one of quiet stasis for the year past, at least when it comes to those languages deemed the cream of the crop. One of the first graphics offered in the post shows the top languages according to the number of repositories created and we see that everything seems to be flowing along, just as it has for the last decade. While GitHub points to a "steady uptick" for JavaScript after 2011, it looks like this list of languages hasn't changed much over time. [The graphic shows the four most popular languages -- every year since early 2014 -- have been JavaScript, Java, Python, and PHP.]

When we look at the top languages according to the number of contributors, we see a similar story, with the top four languages mirrored. In this chart, of course, we see that Ruby is on a steady decline, while Typescript is on a steady rise. The only surprise to be seen here is that C, after a brief uptick in popularity, has taken a bit of a nosedive over the past year. Either way, seven of 10 languages have the same exact ranking....

Finally, beyond the language rankings themselves, GitHub offers a wonderful analysis of just what it is that makes a particular language popular in 2018, boiling it down to three key characteristics: thread safety, interoperability, and being open source.
GitHub's report also identifies its fastest growing languages over the last year -- including Kotin, TypeScript, Rust, Python, and Go. "This year, TypeScript shot up to #7 among top languages used on the platform overall, after making its way in the top 10 for the first time last year," the report notes.

"TypeScript is now in the top 10 most used languages across all regions GitHub contributors come from -- and across private, public, and open source repositories."

An anonymous reader quotes SD Times: Amazon wants to make sure Java is available for free to its users in the long term with the introduction of Amazon Corretto. The solution is a no-cost, multi-platform, production-ready distribution of the Open Java Development Kit (OpenJDK). "Java is one of the most popular languages in use by AWS customers, and we are committed to supporting Java and keeping it free," Arun Gupta, principal open-source technologist at Amazon, wrote in a blog post. "Many of our customers have become concerned that they would have to pay for a long-term supported version of Java to run their workloads. As a first step, we recently re-affirmed long-term support for Java in Amazon Linux. However, our customers and the broader Java community run Java on a variety of platforms, both on and off of AWS."

Amazon Corretto will be available with long-term support and Amazon will continue to make performance enhancements and security fixes to it, the company explained. Amazon plans on making quarterly updates with bug fixes and patches, as well as any urgent fixes necessary outside of its schedule... Corretto 8 is available as a preview with features corresponding to those in OpenJDK 8. General availability for the solution is planned for Q1 2019... "Corretto is designed as a drop-in replacement for all Java SE distributions unless you're using features not available in OpenJDK (e.g., Java Flight Recorder)," Gupta wrote....

According to Gupta, Corretto 8 will be available at no cost until at least June of 2023. The company is working on Corretto 11, which will be available until at least August of 2024. "Amazon has already made several contributions to OpenJDK 8 and we look forward to working closely with the OpenJDK community on future enhancements to OpenJDK 8 and 11," Gupta wrote. "We downstream fixes made in OpenJDK, add enhancements based on our own experience and needs, and then produce Corretto builds. In case any upstreaming efforts for such patches is not successful, delayed, or not appropriate for OpenJDK project, we will provide them to our customers for as long as they add value. If an issue is solved a different way in OpenJDK, we will move to that solution as soon as it is safe to do so."

GitHub saw more than 67 million pull requests this year -- more than a third of GitHub's "lifetime" total of 200 million pull requests since its launch in 2008. It now hosts 96 million repositories, and has over 31 million contributors -- including 8 million who just joined within the last 12 months.

These are among the facts released in GitHub's annual "State of the Octoverse" report -- a surprising number of which involve Microsoft.

• GitHub's top project this year, by contributor count, was Microsoft's Visual Studio Code (with 19,000 contributors), followed by Facebook's React Native (10,000), TensorFlow (9,300) and Angular CLI (8,800) -- as well as Angular (7,600) -- and the open source documentation for Microsoft Azure (7,800).

• Microsoft now has more employees contributing to open source projects than any other company or organization (7,700 employees), followed by Google (5,500), Red Hat (3,300), U.C. Berkeley (2,700), and Intel (2,200).

• The open source documentation for Microsoft Azure is GitHub's fastest-growing open source project, followed by PyTorch (an open source machine learning library for Python).

• Among the "Cool new open source projects" is an Electron app running Windows 95.

But more than 2.1 million organizations are now using GitHub (including public and private repositories) -- which is 40% more than last year -- and the report offers a fun glimpse into the minutiae of life in the coding community.

Read on for more details.

An anonymous reader quotes a report from NPR: A team of researchers conducted their analysis using data stored in something called the UK Biobank. More than 500,000 people have contributed blood, urine and saliva samples to the biobank, which scientists can use to answer various research questions. The volunteers also filled out questionnaires asking a variety of health-related questions, including how much coffee they drink. Part of what determines our sensitivity to bitter substances is determined by the genes we inherit from our parents. So the researchers used genetic analysis of samples from the biobank to find people who were more or less sensitive to three bitter substances: caffeine, quinine (think tonic water) and a chemical called propylthiouracil that is frequently used in genetic tests of people's ability to taste bitter compounds.

Then they looked to see if people sensitive to one or more of these substances drank more or less coffee than people who were not sensitive. To the researchers' surprise, people who were more sensitive to caffeine reported increased coffee consumption compared with people who were less sensitive. The result was restricted to the bitterness of caffeine. People sensitive to quinine and propylthiouracil -- neither of which is in coffee -- tended to drink less coffee. The effect of increased caffeine sensitivity was small: it only amounted to about two tablespoons more coffee per day. But by analyzing so many samples, the researchers were able to detect even small differences like that. The reason may be that people "learn to associate that bitter taste with the stimulation that coffee can provide," says one of the study authors.

A new report published in the journal Science Direct says there is no link between insomnia and early death. The researchers reportedly "reviewed 17 studies, which covered close to 37 million people, to compile their results," the BBC notes. From the report: This new report goes against what the NHS says, which claims that as well as putting people at risk of obesity, heart disease and type 2 diabetes, that insomnia shortens life expectancy. The NHS recommends things like exercising to tire yourself out during the day and cutting down on caffeine. It also says smoking, eating too much or drinking alcohol late at night can stop you from sleeping well. Other recommendations include writing a list of things that are playing on your mind and trying to get to bed at a similar time every night. "There was no difference in the odds of mortality for those individuals with symptoms of insomnia when compared to those without symptoms," the study says. "This finding was echoed in the assessment of the rate of mortality in those with and without symptoms of insomnia using the outcomes of multivariate models, with the most complete adjustment for potential confounders, as reported by the individual studies included in this meta-analysis. Additional analyses revealed a tendency for an increased risk of mortality associated with hypnotic use."

Microsoft announced Friday that it is opening up its online apps store to 64-bit ARM app submissions from developers, further cementing its commitment to make Windows 10 on ARM a viable platform. From a report: Also, with the release of Visual Studio 2017 version 15.9 this week, developers can now create ARM64 apps using officially supported SDK and tools. Microsoft announced Windows 10 on ARM in December 2017 with three big feature promises: The screen turns on "instantly," unlike existing PCs; LTE is built right in; and the battery can last for days. But the unveiling came with a big caveat. These Always Connected PCs, as Microsoft and Qualcomm call them, were not coming anytime soon. [...] Microsoft wants to help address the performance problems by getting developers to rebuild apps for the platform. Developers can now use Visual Studio 15.9 to recompile UWP and C++ Win32 apps to run natively on Windows 10 on ARM devices.

What do Heartbleed, WannaCry, and million dollar iPhone bugs have in common? From a report: One bug affects iPhones, another affects Windows, and the third affects servers running Linux. At first glance these might seem unrelated, but in reality all three were made possible because the software that was being exploited was written in programming languages which allow a category of errors called "memory unsafety." By allowing these types of vulnerabilities, languages such as C and C++ have facilitated a nearly unending stream of critical computer security vulnerabilities for years.

Imagine you had a program with a list of 10 numbers. What should happen if you asked the list for its 11th element? Most of us would say an error of some sort should occur, and in a memory safe programming language (for example, Python or Java) that's what would happen. In a memory unsafe programming language, it'll look at wherever in memory the 11th element would be (if it existed) and try to access it. Sometimes this will result in a crash, but in many cases you get whatever happens to be at that location in memory, even if that portion of memory has nothing to do with our list. This type of vulnerability is called a "buffer-overflow," and it's one of the most common types of memory unsafety vulnerabilities. HeartBleed, which impacted 17 percent of the secure web servers on the internet, was a buffer-overflow exploit, letting you read 60 kilobytes past the end of a list, including passwords and other users' data.

An anonymous reader writes: The Ruby programming language is impacted by a similar "deserialization issue" that has affected and wreaked havoc in the Java ecosystem in 2016; an issue that later also proved to be a problem for .NET and PHP applications as well. Researchers published proof-of-concept code this week showing how to exploit serialization/deserialization operations supported by the built-in features of the Ruby programming language itself.

"Versions 2.0 to 2.5 are affected," researchers said. "There is a lot of opportunity for future work including having the technique cover Ruby versions 1.8 and 1.9 as well as covering instances where the Ruby process is invoked with the command line argument --disable-all," the elttam team added. "Alternate Ruby implementations such as JRuby and Rubinius could also be investigated."

The deserialization issues can be used for remote code execution and taking over vulnerable servers. While .NET and PHP were affected, it was Java until now that has faced the biggest issues with deserialization, earlier this year, Oracle announcing it was dropping deserialization support from the Java language's standard package.

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

An anonymous reader quotes a report from Bloomberg: Amazon.com Inc. has taken another step toward eliminating software from Oracle Corp. that has long helped the e-commerce giant run its retail business. An executive with Amazon's cloud-computing unit hit back at Oracle Executive Chairman Larry Ellison, who ridiculed the internet giant as recently as last month for relying on Oracle databases to track transactions and store information, even though Amazon sells competing software, including Redshift, Aurora and DynamoDB. Amazon's effort to end its use of Oracle's products has made new progress, Andy Jassy, the chief executive officer of Amazon Web Services, tweeted Friday. "In latest episode of 'uh huh, keep talkin' Larry,' Amazon's Consumer business turned off its Oracle data warehouse Nov. 1 and moved to Redshift," Jassy wrote. By the end of 2018, Amazon will stop using 88 percent of its Oracle databases, including 97 percent of its mission-critical databases, he added.

Samsung said Wednesday it was rolling out new voice-assistant features to challenge its U.S. rivals' dominance in AI. At its developer conference, where the company is also expected to unveil its first foldable smartphone, the company said it was fully opening its virtual assistant, called Bixby, to third-party developers and businesses for the first time. The move may help the company challenge incumbent players Amazon's Alexa, Apple's Siri, and Google's Assistant.

Much of the assistant market is yet to be tapped, and it is the right time for developers to embrace Bixby, an executive said. The company said it is offering a no-trade off set of tools (what it calls Bixby Developer Studio) to developers to make use of Bixby. It's the first time any company is offering the full suite of tools that it uses to make its assistant to developers, the company said.

Further reading: VentureBeat.

Oracle's Internet Intelligence division has confirmed today the findings of a recently published academic paper that accused China of "hijacking the vital internet backbone of western countries." From a report: The research paper was authored by researchers from the US Naval War College and Tel Aviv University and it made quite a few waves online after it was published. Researchers accused China Telecom, one of China's biggest state-owned internet service providers, of hijacking and detouring internet traffic through its normally-closed internet infrastructure. Some security experts contested the research paper's findings because it didn't come from an authoritative voice in the world of internet BGP hijacks, but also because the paper touched on many politically sensitive topics, such as China's cyber-espionage activities and how China used BGP hijacks as a way to circumvent the China-US cyber pact of 2015. But today, Doug Madory, Director of Oracle's Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic "misdirection." "I don't intend to address the paper's claims around the motivations of these actions," said Madori. "However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years."